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Description 

Electronic Access Control System and Method 



This invention relates to an electronic lock-and-key access control system 
and discloses a novel and very flexible approach for managing the physi- 
cal security of such a system. Such systems are extensively used in 
industry, in the hotel business, in banks, and in other environments where 
10 it is desirable to control or restrict access to rooms or equipment. Many of 
these systems are using cards, sometimes even smartcards with built-in 
processing power. Such cards are generally magnetically or in other ways 
readable by a reader associated with each lock. To enable or block the 
use of certain keys, to restrict the access timely, or to change the security 
15 system in any other way. access information or messages have to be 

transmitted to - and sometimes from - the locks. This is often done via a 
cabling system connecting the locks to a central security management 
device, but other transmission means are also used. However, the more 
or less direct connection between management device and locks is char- 
20 acteristic for prior art approaches. 

Background 

Each and every one of us relies daily on keys to gain access to our cars, 
homes, and offices, to snap open the lock on our bicycles, or unlatch our 
25 postal boxes. Hence, keys are undeniably an integral part of modern soc- 
ety. Today, most of these keys are still of the mechanical type, as are the 
associated locks. 

Although widely spread, these traditional, mechanical keys suffer from a 
30 number of shortcomings. First, in case of security breach, such as loss of 
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a key, unauthorized duplication, or deprecation of trust assumptions, the 
lock must be replaced. Second, a key is valid as long as the correspond- 
ing lock remains in place. For example, once an access right Is given to 
an individual by handing him/her a key, that right cannot be revoked 
5 unless the key is returned or the lock changed. As a consequence of 
theseHimaationsr-tradlt l onal4ock=anU=key.6y5temsjto_goi allow to Institute 



a time-based access policy, for example allowing access during office 
hours only, or protecting certain areas during certain times of the day. In 
the many environments where such requirements exist, traditional lock- 
10 and-key systems are no more sufficient 

Clearly, traditional keys offer only inflexible and rather limited management 
possibilities, but they are widely available, very reliable, and reasonably 
cheap. Still, replacement solutions with higher flexibility and extensive 
15 management possibilities have been invented and found their way to the 
market For example in hotels and enterprises, electronic locks and 
appropriate electronic keys are wideiy used, providing very flexible and 
rather quick management of access rights. 

20 An example of a system using smartcards of different kinds is shown in 
tee US Patent 5 204 663 to Applied Systems Institute, Inc., which dis- 
closes an access control system with integrated-circult cards, I.e. smart- 
cards, some of which have a memory to store key access information and 
. so-called transaction information. Whereas the key access information 

25 here relates to the immediate use of the key, e.g. the present access code 
of the card, relates the transaction information to other activity, e.g. a log 
of previous use of the lock as it is recorded in the lock's memory, specific 
new access codes to be uploaded into specific locks, or a log of failed 
entry attempts of the card user. Some of this transaction information is 

30 transferred from the lock into the card's memory, some from the card into 
the lock, and some just stored on the card for later readout 
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One example of a lock which may be used in such an environment is the 
SaFixx smartlock, described In the Internet on http://acola.com, a lock 
made by ACOLA GmbH in Villingen-Schwenningen. Germany. The Safixx 
smartlock even exhibits some specific properties (discussed below) that 
TBay-nttkeltquarusefaHn-co^^ 



Other examples can be found in the literature. All of them have one disad- 
vantage. They require a kind of 'direct' access to each and every elec- 
tronic lock in the system, be it that the locks are connected by a cabling or 
radio network to a management center, or that one has to walk up to each 
lock and "reprogram- it manually or electronically, as with the Saf«x smart- 
lock mentioned above or as with the system disclosed in the above-cited 
Lee US Patent 5 204 663. Either of these methods is burdensome: A net- 
work of cables to all locks in a hotel or an plant will usually cost more than 
the electronic locks themselves, a radio transmission system requires a 
transceiver and power in each and every lock and may thus be even more 
expensive (and failure-prone) than a cabling network, and walking to each 
and every lock may be simply impossible in a reasonable time frame. 

Here, the invention intends to provide solutions. To summarize, it is an 
object of the present invention to avoid the above-described disadvan- 
tages and devise a reliable and flexible electronic lock-and-key system 
which has no need for "direct" (in the above sense) connections between 
25 locks and an associated management center controlling security within the 
system. 

Another object is to simplify expansion of a given system when installing 
additional locks or other access or security devices, or to facilitate 
.30 changes within a given system by installing new locks and/or exchanging 
existing ones. 
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A further object is to devise an architecture that allows a practically unlim- 
ited flexibility with regard to protocol changes or security updates between 
management center and locks. Such updates are necessary after a "suc- 
cessful* attack, or after card keys have been lost or stolen, or when secu- 
-rlty-asp ' ecte-ot-th^^ areaS in * - 



15 



plant or tab become "restricted access" areas. 

A specific object is to devise an architecture which allows an "on-the-fly" 
10 expansion of such a system. 

The Invention 

In essence, the novel approach according to the invention concentrates on 
using means, especially hardware, already existing in a usual electronic 
lock-and-key system. Access control and other information which need to 
be updated or changed is disseminated through existing smartcard or 
similar keys and the existing locks without any need for a connection 
between the latter and a central or distributed management center control- 
,ing this information. For this, a suitably adapted networking protocol is 
being used and. wherever appropriate, cryptography to protect the system 
against possible attacks. 

In the following, the primary Innovation, namely the propagation of access 
control information in cable-free environments, is discussed in more detail. 
It is also described how cost effective and easily manageable electronic 
locks can be generally implemented. Thereafter, attacks and implied 
security assumptions of such a system are discussed. 

Contrary to most current electronic security systems, the system disclosed 
in this document does not require fixed network connectivity of any k.nd, 
be it wire-based or radio-based. Consequently, cost associated with 
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cabling or radio transmission equipment is eliminated. Experience shows 
that this cost can be an order of magnitude higher than the cost of the 
locks themselves. It should be mentioned here that in this document the 
term "key" does not designate the traditional metallic key but rather any 
arbitrary carrier of information, e.g. smartcards or IBM's JavaCard. Simi- 
la i ly, \ ) w ter m "l o ck" will u sual l y desi g nat e an e lectronic l o ck 



Instead of the locks receiving electrical power via a fixed cable, the 
required energy to operate the lock can be delivered either through the 
# 10 user's key or through an battery embedded in the lock or door. Clearly, in 
such a construction, power consumption must be kept to a strict minimum 
so that batteries last at least a few years. Electronic locks exhibiting the 
desired physical properties such as tamper resistance, operational reliabil- 
ity and long battery life, already exist on the market. The above men- 
15 tioned SaFixx smartlock is an example of a lock exhibiting these 

properties. The present invention emphasizes the logical aspects of cable- 
free lock constructions, not so much the physical design. 

Description of an Embodiment 

20 In the following, the invention will be described in more detail in connection 
with a drawing which shows a block diagram of a typical access control 
system according to the invention, in particular the principle of message or 
information propagation in such a system. 

25 . As shown, in the Figure, a Door Domain Access Manager (DDAM) 1 is the 
entity holding authority over an ensemble of locks 2. For the sake of sim- 
plicity, only some of them carry reference numbers 2a, 2b, etc. DDAM 1 
plus the set of locks 2 constitute an administrative domain 4. It is 
assumed that DDAM 1 is composed of a single entity, as shown. This 

30 restriction may be removed by applying threshold signatures as described 
by Douglas R. Stinson in "Cryptography - Theory and Practice", CRC 
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Press, 1996, and some more or less straightforward extensions to the 
communication protocol presented in this document. 

Also shown is a plurality of keys 3, of which just a few have reference 
5 numbers 3a, 3b, etc., again to keep the drawing clean. 

Each lock 2, usually associated with a door, as mentioned above, has a 
key (or card) reader of conventional type and a memory. The memory is 
organized to store two different sets of data or information, one first set 
10 consisting of one or more tokens (the number depends on the overall 
organization of the Iock-and-key system), the second set comprising a 
message of so-called designated data, i.e. data designated for other keys 
or locks. The latter is a transient message which is only held for some 
time in the lock's transient memory part 

15 

The keys 3 are of a very similar design as far as their memory is con- 
cerned. Their memory is also able to store two different sets of data or 
information. One first set consists again of one or more tokens (the num- 
ber depending on the overall design of the Iock-and-key system) and may 
20 be called a "key-activating" set The second set consists again of a mes- 
sage of designated data, i.e. a transient message designated for other 
keys or locks, which message is held only for some time in the key's tran- 
sient memory part. Simply said is this latter part of the key's memory the 
information transport path within the whole system. 



25 



30 



Looking at the Figure, one recognizes that, using the keys as transport 
means for the designated data, there is usually a plurality of ways to each 
lock and key. A rather simple example shall clarify this. 

Assume DDAM 1 issues a message for lock 2e (at the bottom), e.g. that a 
certain key, say key 3d, is not allowed to enter the room behind the door 
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of lock 2e. This message designated for lock 2e is "entered" into the net- 
work via line 5, which, latter may be a cable connection, any mobile data 
carrier, a wireless connection of any kind, etc. As soon as lock 2a has 
received the message, each and every key used at this lock 2a receives 
5 and stores in its transient memory part a copy of said message. Key 3a 
will-transport-it-to-loCk-2b r K^ 



lock 2c (and others), from there, the set will travel via key 3c, lock 2d, key 
3d and/or keys 3e to its designation, lock 2e. Mote that even key 3d, who 
would be negatively affected by the transported message, may convey it 
10 to the designated lock 2e. 

As soon as lock 2e receives the designated message, it issues an 
acknowledgement which now travels back through the system in the same 
fashion as the original message until it reaches ODAM 1, which closes the 

15 loop. The acknowledgement, since it recognizably refers to the message, 
erases the still stored (original) message in the both the keys and the 
locks through which it travels. Again, this is the overall function of the 
electronic lock system according to the invention in great simplification; 
details will be apparent from the subsequent description, which also 

20 addresses the theory behind some solutions. 

As mentioned above, a user is granted access through a lock 2 (or door, 
which terms are used interchangeably in this document) only if his/her key 
exhibits an appropriate token issued by the DDAM. All tokens are minted 
25 with an expiration date. The DDAM may choose to revoke the access 
rights of any user at any time. 

Keys are built so that they may hold multiple tokens as well as other types 
of data. Whether tokens are based on public key cryptography, shared 
30 secrets or some other type of securrty primitive is irrelevant at this stage. 
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In addition to storage capacity, doors may have computational capabilities 
allowing them to process tokens issued by the DDAM. The relation 
between DDAM and doors/locks 2 is that of master and slave. It is the 
D DAM's reserved prerogative to determine who may traverse which door 
and until what time and date. Consequently, the doors within an adminis- 
trative dtfmiiin 4 must completel y truct the DDAM and hl i nrily obe yJls. 



orders. However, doors do not honor orders given by a DDAM outside 
their domain. There is no direct cabling linking the doors among them- 
selves nor with the DDAM required. This mandates the alternative com- 
10 munlcation mechanism addressed above so that the DDAM and the locks 
can still exchange information. But note that the possibility of doors 
exchanging messages with one another is not necessarily precluded; also, 
there may be single selective "direct" connections between the DDAM and 
one or more selected locks. 

15 

Suitability Considerations 

As users are required to present a valid token to access a door (by con- 
struction), the dissemination of positive access rights is not an issue. The 
DDAM can pass a token to a given user through a (secure) terminal or the 
20 token can simply be dropped at a door, e.g. lock 2a, until the user unwit- 
tingly picks rt up. Renewing tokens that are about to expire can be accom- 
plished in a similar fashion. 

On the other hand, how can one ensure that a negative token (i.e. access 
25 revocation) reaches the relevant lock without excessive delay? 

The solution for this problem is particularly appropriate in cases where all 
users happen to go through certain central doors, such as a building 
entrance, an elevator, or garage barriers. In another favorable scenario 
30 which is typical of business environments, rapid propagation of information 
is guaranteed by workers who arrive at work in the morning or by the 
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maintenance/security personnel who frequently go through many doors. 
Looking at the Figure, door/!ock 2a may be particularly suitable for that 
purpose. 

As shall be explained later, if control information does not reach the desti- 
nat i on node, i » i^ t lned lock 2, the source, usua ll y the DDAM , will 
not receive an acknowledgment. The DDAM can thus detect failure, it fol- 
lows that in case there is no privileged central door and the target door is 
infrequently visited, the operator of the DDAM is alerted and he/she can 
always walk to the door in question. Critical doers requiring immediate 
information propagation could also be connected to the DDAM with a dedi- 
cated cable or by other "direct* means. 

Network Model 

As explained, to make certain that information is propagated in a timety 
fashion, user's physical keys 3 carry messages to and from between locks 
2 and DDAM 1. Moreover, locks 2 act as a temporary repositories for 
messages designated for other locks. Doors and/or locks are modeled as 
nodes in a network and users as channels linking these nodes. For exam- 
ple, a temporary channel between lock 2a and lock 2b is established when 
a user travels through them, using key 3a. To improve connectivity, inter- 
mediary locks and user keys must act as repositories. As explained 
above, a user Alice may pick up a message from door 2a and leave it at 
door 2b. Then, user Bob with key 3e happens to go through door 2a and 
carries the message to its final destination, say door 2e. 

More generally, both keys and doors contain a snapshot view of all current 
pending traffic, that is, all sent but not yet acknowledged packets. This, 
for any destination within the administrative domain. When a key is 
inserted in a door, both key and door/lock update their respective view of 
the network. Naturally, this update need not be interactive as it can be 
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efficiently performed off-line. This way the user shall not be delayed wait- 
ing for the key and the lock to synchronize when going through a door. 
Off-line updates mandate that each entity possesses its own power 
source. 



Th e Ne tworking Protocot - 



The well-known TCP/IP protocol, as described by W. Richard Stevens In 
'TCP/IP Illustrated". Vol. I, Addison Wesley, 1994. serves as a basis and 
is simplified and somewhat optimized for the novel application. In an 
10 abstract sense, the problem can be stated as the building of a transmis- 
sion control protocol (e.g. TCP) on top of a high-loss, varying-topology 
LAN, 

First, it is assumed that each node of the network, that is a key, a 
15 door/lock or the DDAM, can be addressed individually. Hereafter, the term 
node may refer to a door/lock, a key, or the DDAM. This can be accom- 
plished by using the addressing scheme of any networking layer protocol, 
in particular the Internet Protocol, as described by J. Postel: "Internet Pro- 
tocol" in the publication of the Internet Engineering Task Force, Septem- 
20 ber 1981, RFC .791. 

As mentioned earlier, each node is responsible for propagating messages 
or packets, even if it is not the intended recipient, until the packet is 
acknowledged, at which time the packet is erased from the node's 
25 memory. 

Like in TCP, described by J. Postel: "Transmission Control Protocol" in 
Internet Engineering Task Force, September 1981. RFC 793, each packet 
requiring acknowledgment is sent with a monotonically increasing 
30 sequence number. TCP deals with packet fragmentation caused by the IP 
layer, in the present homogeneous setting, packets are not liable io be 
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fragmented. Hence the sequence numbers correspond to packets and not 
the number of bytes sent. This is unlike TCP, but has the advantage of 
being both simpler and mere space efficient 

Once a message is received, the recipient issues an acknowledgment 

-which is sentback-to4he sender,. acknowiedging-ltie rtfctiived-packet . 

This acknowledgment consists of the usual addressing information and at 
least two other fields: a cumulative sequence number, denoted n, and a bit 
field of w bits length. 

The actual value of n indicates that packets bearing a lower sequence 
number (inclusive) have been correctly received without gaps. The bit 
field provides information on out-of-order packets. The bit field loosely 
corresponds to the so-called "sliding window' of TCP. 

As in TCP, packets outside of the sliding window, that is packets bearing a 
sequence number outside the range n+1 to n+w, are dropped. However, 
if an incoming packet completes to a sequence with no gaps, then n is 
incremented and an acknowledgment sent back to the source. Each 
packet received out of order but within the .sliding window is tallied by turn- 
ing on a corresponding bit in the bit field. 

Thus, after the acknowledgment propagates back the sender of the 
packet, the source can selectively retransmit packets that have been lost. 
Packets that have correctly arrived, albeit out of order, need not be 
retransmitted, Also, packets that have been selectively acknowledged are 
dropped by intermediary nodes regardless of whether the source has 
received the acknowledgment or not, thus preserving precious memory 
space at each intermediary node. 
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It is important to note that acknowledgments presented here have an 
absolute ordering much like cumulative acknowledgments. Thus, they 
may be compared with one another. Consequently, only the newest 
acknowledgment need to be stored by the intermediate nodes as the new- 
est acknowledgment overrides all previous ones. 



10 



Window Size 

it is reasonable to assume that in most cases the frequency of revocation 
messages sent to a specific door or lock is low. Thus, very small window 
sizes (say 2) may amply suffice to satisfy the needs of even large 



organizations. 



15 



However, for exceptional cases, the window size can be increased at will. 
This can be accomplished by the DDAM sending out a broadcast mes- 
sage instructing all doors to adjust the window size for a given source/des- 
tination pair. Broadcast messages bear a fixed destination address 
recognized by all. 



20 
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Cfocking information 

The DDAM could keep time on behalf of alJ other entities in the administra- 
tive domain. The DDAM sends timing updates as frequently as it can (i.e. 
each time it has contact with a user or door). As with acknowledgments, 
only the latest clock information need be stored by intermediate nodes, 
again saving precious memory space. In this way, there is no need for 
doors to have individual clocks. 



Cryptographic A spects 

The cryptographic representation of a token can have overreaching effects 
on security management The security implications of a secret key based 
architecture shall first be discussed. Next, the implications of a public key 
architecture are described. 
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Shared Secret 

Tokens can be based on a shared secret between the DDAM and the 
locks. Let us assume the DDAM and lock { share the secret To grant 
5 user ia access through /j, the DDAM would authenticate the access string 
aq.where— rr 

a y = "Let u x through /, until 1/1/2001°. (1) 

10 The authentication could be based on any secure keyed message authen- 
tication function, such as HMAC as described by R. Canetti et af in 
"HMAC: Keyed-Hashing for Message Authentication", Engineering Task 
Force, February 1997, RFC 2104. We have 

15 4 - HMAC(s it 3q) II a* , 

were t% is the access token and || denotes string concatenation. Note 
that tokens could have other representations based on different types of 
authentication. User i/i would be granted access through /j by presenting 
20 the token 4 until 1 January 2001 . 

As in any digital representation of information, a token may be easily dupli- 
cated. In the shared secret setting, if a token can be "seen" by a rogue 
lock or any other unauthorized party, then the token has been effectively 
25 stolen. Indeed, the attacker could present the stolen token to the corre- 
sponding lock and obtain illegitimate access. 

To mitigate the menace, security must be augmented by other means. For 
example, one may impose a universally unique serial number to be burned 
30 into each physical key, i.e. smartcard or the like, and issue tokens for a 
particular serial number. This may provide enough security to repel 
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unsophisticated attackers. However, a determined adversary may print 
his/her own physical key with fake serial numbers. 

For high security applications, it is crucial that the physical key allows only 
selects access to information. As a physical key is inserted in a lock it 



passage through that lock. However, the particular lock should not be 
able to read tokens (on the key) relevant to other locks, possibly in other 
administrative domains. But even if a.physical key allows selective access 
to information, lock 4 can pretend to be lock /, and steal the token (for / y ). 

The token duplication attack constitutes a severe threat, particularly if 
electronic locks become truly ubiquitous. Universal deployment means 
that physical keys will be used in mutually untrusting domains. 

One can protect against this attack by requiring the lock to identify itself to 
the physical key; on!y then will the key reveal the token for the identified 
lock. 

If this identification is based on a shared secret between the doors and the 
users, the number of shared secrets will explode for even medium sized 
organizations because each lock will have to share a secret with each 
user that goes through it. Thus, lock-user shared secrets may be suitable 
for small settings only. 

Alternatively, a KryptoKnight type third party authentication technique may 
be used as described by P. Janson et al "Scalability and flexibility in 
authentication services: The KryptoKnight Approach" in IEEE INFOCOM 
•97, Tokyo. Japan. April 1997. and R. Bird et al "The KryptoKnight family of 
light-weight protocols for authentication and key distribution" in IEEE 
Transactions on Networking. 1995. Also, a Kerberos type third party 
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authentication techniques could be employed, described by J. Kohl et al. 
The Kerberos Network Authentication Service", V5, internet Engineering 
Task Force, September 1993, RFC 1510 and by B. Clifford Neuman et al 
in "Kerberos: An authentication service for computer networks", IEEE 
Communications Magazine, 32(9): pp.33-38, September 1994. In such a 
ls c h eme f _alLusers„ao d _locks_v/ o ul d _shar e _a_secret,with.the_DDAM Ginee 



the DDAM shares a secret with all nodes, it can convince any node of the 
identity of another. 

10 Let $ represent the long term secret that user U\ shares with the DDAM, 

and -sj the secret that lock < shares with the DDAM. The DDAM would ran- 
domly choose an encryption key fc. The access string ay would become: 



15 



a* ="Let through 4 user knowing k, until 1/1/2001" (2) 
The DDAM would issue the ticket 7$ defined as 

7i= {HMAC^aaJH^lUk}^ (3) 

20 where {m}* denotes symmetric encryption of message m using encryption 
key x and a g is given by equation (2). 

User u\ would strip the encryption {k}s, from the ticket 7y to retrieve the 
token U. It would then obtain k from {k}s t by decrypting it with its long 
25 term shared encryption key with the DDAM, that is Si. 

To pass tough door <, the user would present fij. The lock t, would retrieve 
the encryption key k contained in by decrypting *q with its long term 
shared secret key, sj. The door would then challenge the user for the 
30 knowledge of encryption key k. If the response checks with the issued 
challenge, then the user would be granted access. 
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Mote that the DDAM has to preeompute 7, for given message a, and given 
nodes ia and f h Remember that there is no direct channel (a connecting 
cable or the like) to the DDAM. Consequently, the Kerberos setting is 
unsuitable for situations where either the message being authenticated or 



limitation if the application requires that disruption attacks be thwarted. 

TTie verbosity of the access string a, should indicate to the reader that the 
protocol just described is not optimized, but is essentially intended for illus- 
tration purposes. 

Public Key Setting 

An alternative setting would have the DDAM and all users within the 
domain hold a public/secret key pair. Each lock within an administrative 
domain would be installed with the DDAM's public key. The DDAM would 
then certify the public keys of all users within its administrative domain. 

The access token for user u. through lock /, would be the DDAM's signa- 
ture on the message a», as defined in equation (1). Whenever a user 
wishes to cross a door, it would present the token to the lock, which would 
verity DDAM's signature. To prevent impersonation, the door would 
require the user to prove knowledge of the secret key corresponding to the 
user's (DDAM certified) public key. 

This proof can be based on any challenge response type protocol, such as 
described by 10 by C. P. Schnorr in "Efficient signature generation by 
smart cards". Journal of Cryptology, 4(3): pp.161-174, 1991, or by Uriel 
Feige et al in "Zero-knowledge proofs of identity", Journal of Cryptology: 
the journal of the International Association for Cryptologic Research. 1(2): 
pp. 77-94, 1988. or by Jean-Jacques Quisquater and Louis Guillou in "A 
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practical zero-knowledge protocol fitted to security microprocessor mini- 
mizing both transmission and memory" in Christoph G. Gunther, editor, 
Advances in Crypt6logy—EUROCRYPT88 t Volume 330 of Lecture Notes 
in Computer Science, pp. 123 -128, Springer-Verlag, May 1988. 

Th e so l ution just pr e s e nted se p a rat es the user's cred e ntials from h i s/h er 
public key. Thus, Alice's credentials may be transported to the relevant 
door without Alice having to intervene. To benefit from new credentials, 
Alice just has to prove her identity. Alice does not have to obtain a new 
secret from the DDAM nor change her public key. The new credentials 
are transparent to Alice. On the other hand, if one had tied each of Alice*© 
credentials to a corresponding secret held by Alice, then Alice would have 
to communicate to the DDAM on a secure channel each time her creden- 
tials changed. 

For example, in the Quisquater-Guillou (above) protocol, the DDAM would 
send Alice her new credentials, denoted by the string J, and a correspond- 
ing secret 8, such that 

75* = 1 mod n (4) 

where n is a public modulus and v is a public exponent. Let <p denote 
Euter's <p function. Only the DDAM knows the inverse of v mod <p(ri), 
and hence can efficiently compute fl, verifying equation (4). 

To allow the access rights granted by J, the relevant lock would challenge 
Alice with a random number and check that Alice knows the secret corre- 
sponding to J, that Is S. As usual, Alice does not reveal B as a result of 
the challenger-response protocol. Note that the secret B has to be sent by 
the DDAM to Alice on a secure channel. 





SZ 9-99-002 ^^^^.wfrW* I^H 



- 18- 



5 



10 



Fa/ss 4 cknowledgment inj&ctions 

In case an attacker is able to inject an acknowledgment message bearing 
a high sequence number, all intermediary hops will drop packets bearing a 
lower sequence number. Although this disruption attack will eventually be 
_^ tPfjp ijr^^ prevent n i l c n mm nnr r rti o n * h-*^ rn thr 



DDAM and the locks. 

In a variant attack, assuming that newer messages have higher priority, an 
attacker may flood locks by sending fake packets bearing high sequence 
numbers. The intermediate nodes will regard such packets as being 
newer and drop lower sequence numbered but genuine messages. This 
will also disrupt comm unications. 

High security applications, especially those sJated for universal deploy- 
ment, mandate that all messages, including acknowledgments, be authen- 
15 Heated. Thus, all nodes, that is all doors/locks, users and the DDAM 
would have a public key certified by the DDAM. 

The Kerberos type shared secret setting does not allow for messages to 
be authenticated for two dynamically chosen parties. Thus disruption 
attacks can only be prevented in the public key setting. 

20 From the above discussion of the security implications of shared key ver- 
sus public key based architecture it should have become clear that, 
because of the key explosion problem, a shared key architecture 's suit- 
able only for low security applications or for small scale deployment, 
whereas high security applications or universal deployment both mandate 

25 public key cryptography. 



It should also have become clear that the invented flexible architecture for 
managing physical security using electronic locks and physical keys 



described hereinbefore does not require a permanent channel between 
the locks and a security management center. The question of timely 
propagation of access control information raised by the missing perma- 
nent connection is solved by having users act as transmission channels 
5 and locks as message repositories. 

Those skilled in the art wiil be able to implement the above-described 
cabfe-less lock-and-key access control system as is or with various modifi- 
cations and adaptations without departing from the scope and spirit of this 
invention. Other embodiments will be apparent to persons skilled in the . 
10 art on the basis of the above specification and practice disclosed herein, 
the scope of the invention being indicated by the following claims. 
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Claims 



1. An access control system with a plurality of locks and keys, at least 
part of said locks and keys having memory means, 
5 characterized by 

^aidjneiiiuiyj n^ 
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mation concerning any access rights of said key and information desig- 
nated for other keys and/or locks, 

• said memory means of a lock being equipped to receive and store 
information concerning any access rights for said lock and information 
designated for other keys and/or locks, and 

• means for exchanging said information between locks and keys. 

. 2. The access control system according to claim 1 , wherein 
15 • the information concerning access rights of a key includes one or more 
tokens and/or the information designated for other keys and/or locks 
includes one or more messages for said keys and/or locks. 

3. The access control system according to any of the preceding claims, 
20 wherein 

• the memory means in the key and/or the lock stores at least a partial 
view of the system and 

• the exchanging means triggers an update of said view. 

25 4. The access control system according to claims 3, wherein 

• the update triggered by the exchanging means is performed off-line, 
particularly right after said exchanging means has completed its func- 
tion. 
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5. The access control system according to any of the preceding claims, 
wherein 

• the information designated for other keys and/or locks includes one or 
more messages for said other keys and/or locks and is exchanged off- 

5 line between a key and a lock. 

6. The access control system according to one or more of the preceding 
claims, wherein 

• the means for exchanging information between a lock and a key are 
10 activated when said key is engaged with said lock. 

7. A key for use in an access control system according to any one of the 
preceding claims, wherein 

• the memory means includes a read/write section dedicated to the infor- 
J 5 mation designated for other keys and/or locks. 

: 8. The key according to claim 7, characterized by 

• a power source, preferably being rechargeable when said key is used 
with a lock. 
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9. A lock for use in an access control system according to any one of the 
claims 1 to 6, wherein 

• the memory means includes a read/write section dedicated to the infor- 
mation designated for other keys and/or locks. 

10. The lock according to claim 9, characterized by 

• a power source, preferably being rechargeable when a key is used with 
said lock. 
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11. A method for propagating information in an electronic lock-and-key 
system, characterized in that 

• an original message to be propagated to an n-th lock or key is inserted 
into a memory of a first lock or a first lock, respectively. 

• on any use of said first key or said first lock, said original message is 
^pj Q dMo r unornor\' of n cocond inr. f r * r ir» y ^i^j i ^)^^^^^ 
remains in Q^ir( fir*+ ^_ x: _. 



^' ">"T i ■ ■-..i p^^utfLi y ^-g 

remains in said first lock's or first key's, respectively, memory, 
on any subsequent use of said first and/or second key and/or'said first 
and/or second lock, said original message is copied into a memory of a 
next lock or key, respectively, but remains in the memories of said pre- 
viously used locks and/or keys, respectively, 

until said original message, propagated in the described snowball-like 
way, reaches its destination, i.e. said n-th lock or key. 



12. A method for propagating information in an electronic fock-and-key 
system, characterized in that 

• an original message to be propagated to an n-th lock or key is stored in 
a memory of a first lock, 

• when a first key is used with said first lock, said original.message is 
copied into said first key's memory, but remains in said first lock's 
memory, 

• when said first key is used with a second lock, said original message 
copied into said second lock's memory, but remains in said first key's 
memory, 

25 • when a second key is used with said second lock, said original mes- 
sage is copied into said second key's memory, but remains in said sec- 
ond lock's memory, 

• until said original message, propagated in the described way, reaches 
its destination, Le. said n-th lock or key. 

30 
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13. The method for propagating information according to claim 11 or claim 
12, further characterized in that 

• the n-th lock or key produces a confirmation message acknowledging 
reception of said original message which confirmation message serves 
to control erasing of the copies of the original message in the memo- 
rie s of th e locks and ko vs. 

. 14. The method for propagating information according to claim 13, further 
characterized in that 

• the confirmation message is propagated through the system in the 
same way as the original message, 

• said confirmation message, when received by a lock or key whose 
memory still contains a copy of said original message, acts on, in par- 
ticular serves to erase said original message. 

15. The method for propagating information according to any of the claims 
11 to 14, further characterized in that 

• after a selective or universal time-out, copies of said original message 
are selectively or universally erased. 

16. The method for propagating information according to any of the 
claims 11 to 15, wherein 

• original messages and/or confirmation messages, especially those 
concerning the same lock or key, are ordered, in particular sequentially 
numbered. 

17. The method for propagating information. according to claim 16, further 
characterized in that 

• any message of lower order, in particular with a lower sequence num- 
ber, is erased in the respective memory when a message of higher 
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order, in particular with a higher sequence number, is received by a 
lock or key during propagation. 



18. The method for propagating information according to any of the pre- 
ceding method claims 11 to 17, wherein 

» — orfglnal-messayBb-and/ ui-Luiifim 

encrypted, in particular using a shared key encryption scheme and/or a 
public key encryption scheme. 
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Abs tract 

Electronic Access Control System and Method 



Disclosed is a new and flexible approach for managing physical security in 

— 5 an-tgl^ctronic-luck^aM^key^sy ^tem.-^ Thb- ii uveKappruach-do^saway-with 

cabling or other direct connecting between locks and a system manage- 
ment center. The (physical) keys serve to disseminate access control and 
other information within the system in a snowbalHike way, using an 
adapted, but simple networking protocol. Whenever appropriate, crypto- 
10 graphic schemes are applied to protect the system. 
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